Not able to access shared folders after user migration
-
Monday, December 24, 2012 1:13 PM
I are facing an issue where users are not able to access the shares after
they have been migrated to the target domain.In the above diagram we have two source domain and one target domain, the
users from Source 1 are able to access the shares on the source domain after
migration to the Target domain however this is not the case with the Source 2
users. They get a prompt to provide user name and password when they try to
access the shared folder on the Source 2 DC, more surprisingly the credential
also don’t work, neither from Target not from Source 2The users are member of a group which has a permission on the shared folder,
the Groups are also migrated to the target domain alone with their SID Histories
and the user access token also contains the SID. (User access token in Green below)The user is using window XP machine to logon and access the shares, however
when we tried the same user login to a windows 2k8 sever and accessed the share
it was working.Note: the win 2k8 server is already on the Target domain whereas the client
win xp machine has been newly migrated to the new domain in the migration
process.The Group Source
2\Migration-FileShare-Test-DL gets migrated to the
target domain as
Target\Migration-FileShare-Test-DL-RCG which
has the SID of the Target\Migration-FileShare-Test-DL group in
its SID History. The user is a member of the group in the source domain and also
in the target domain.One highlighted in yellow is the SID for Source
2\Migration-FileShare-Test-DLAccess Token for the user
Username =
AmyHTS Session ID:
4User
S-1-5-21-1421919476-1861090634-2614085446-1002425Groups:
00
S-1-5-21-1421919476-1861090634-2614085446-513 Attributes - Mandatory
Default Enabled01 S-1-1-0
Attributes - Mandatory Default
Enabled02
S-1-5-32-545 Attributes - Mandatory
Default Enabled03
S-1-5-32-554 Attributes - Mandatory
Default Enabled04 S-1-5-2
Attributes - Mandatory Default
Enabled05 S-1-5-11
Attributes - Mandatory Default
Enabled06 S-1-5-15
Attributes - Mandatory Default
Enabled07
S-1-5-5-0-238314018 Attributes - Mandatory
Default Enabled LogonId08
S-1-5-21-1421919476-1861090634-2614085446-1002433 Attributes - Mandatory
Default Enabled09
S-1-5-21-1421919476-1861090634-2614085446-1002434 Attributes - Mandatory
Default Enabled10
S-1-5-21-1373731602-3536139840-1206636429-48219 Attributes - Mandatory
Default Enabled11
S-1-5-21-1373731602-3536139840-1206636429-50054 Attributes - Mandatory
Default Enabled12
S-1-5-21-40218438-1539389625-985433658-34730 Attributes - Mandatory
Default Enabled13
S-1-5-21-362788745-1516629465-3126525450-23021 Attributes - Mandatory
Default Enabled14
S-1-5-21-1421919476-1861090634-2614085446-1002435 Attributes - Mandatory
Default Enabled15
S-1-5-21-362788745-1516629465-3126525450-23078 Attributes - Mandatory
Default Enabled16
S-1-16-8192 Attributes - Primary Group:
S-1-5-21-1421919476-1861090634-2614085446-513Privs
00 0x000000006
SeUnsolicitedInputPrivilege Attributes - Enabled Default01 0x000000017
SeChangeNotifyPrivilege Attributes - Enabled Default02 0x000000021
Unknown Privilege Attributes - Enabled DefaultAuth ID
0:e3462d8Impersonation
Level: IdentificationTokenType
ImpersonationPlease let me know what can be the possible issues here, also please let me
know if anyone of you need any more information on this. Any help would be
highly appreciated.
Regards, Krishnakant
- Edited by Krishnakant MahamuniMicrosoft Employee Monday, December 24, 2012 1:14 PM
All Replies
-
Monday, December 24, 2012 4:12 PM
I am little confused with your description here.
Do you have same user in Source1 and Source2? How did you configure the permission on “Shared Folder”?
Are you merging these 2 users in the target domain?
Also, how did you generate the token info?
Santhosh Sivarajan | Houston, TX
Windows 2012 Book - Migrating from 2008 to Windows Server 2012
http://www.sivarajan.com/
This posting is provided AS IS with no warranties,and confers no rights.- Proposed As Answer by K_evin ZhuMicrosoft Contingent Staff, Moderator Wednesday, December 26, 2012 1:47 AM
- Marked As Answer by K_evin ZhuMicrosoft Contingent Staff, Moderator Thursday, December 27, 2012 2:12 AM
-
Tuesday, December 25, 2012 12:10 AM
As Santhosh mentioned, it is not really clear what you have done exactly.
Is SID History filtering enabled between domains? See that: http://blogs.technet.com/b/csstwplatform/archive/2010/05/06/how-to-disabling-sid-filter-quarantining-allowing-sid-history.aspx
You can also apply the needed translations using ADMT on the File Server itself so that the permissions will be translated to the new ones.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
- Proposed As Answer by K_evin ZhuMicrosoft Contingent Staff, Moderator Wednesday, December 26, 2012 1:46 AM
-
Thursday, December 27, 2012 2:11 AMModerator
Hi,
As this thread has been quiet for a while, we will mark it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.
Best Regards
KevinIf you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
.png)
